What is Account Takeover (ATO)?
“Oh Grandma, what big teeth you have…” - Little Red Riding Hood.
Account takeover (ATO) is a form of identity theft where a cybercriminal gains access to a legitimate account by using stolen credentials. Successful account takeover can have far-reaching ramifications including the exfiltration of sensitive data, financial theft, credit card fraud, and software supply chain attacks. These attacks often exploit the inherent weaknesses of using passwords as an authentication method.
Account takeover fraud was originally a concern for financial institutions due to the clear monetary incentive for attackers if they were successful. However, ATO attacks today present a challenge for any organization with customer or employee-facing login (which is pretty much every organization).
How account takeover fraud happens
Attackers have multiple vectors at their disposal for carrying out account takeover, including:
Brute force attacks. Attackers use a combination of logic, guesswork, and automation to guess usernames and passwords on target web applications until they get a match. These attacks sometimes leverage dictionaries of common words and phrases to guess passwords.
Credential stuffing attacks. Since people tend to use the same password across multiple accounts, one set of credentials being stolen can spell danger for other accounts. In credential stuffing attacks, cybercriminals obtain leaked or stolen credentials from one service and try the same credentials on other unrelated services.
Phishing. Scams like credential phishing and business email compromise remain popular techniques for attackers to get hold of credentials. For accounts without multi-factor authentication, successful phishing attacks can lead to account compromise.
Keystroke logging malware. Keyloggers, stealers, and other malware enable attackers to monitor their victims’ keyboard activity. These tactics continue to be effective at stealing passwords, particularly when used in conjunction with other attacks like vishing and scam phone calls.
Why ATO fraud is on the rise
Account takeover fraud has mushroomed over the past few years. Research from 2021 found that nearly 22% of U.S. adults have had their accounts taken over. The report also found that 57% of respondents who had suffered account takeover were sharing passwords across multiple online accounts.
The continued growth of account takeover is down to multiple factors, including:
Easily available breached credentials. There are billions of leaked credentials available on the dark web as a result of past data breaches.
Rampant password reuse. As mentioned earlier in this article, people’s tendency to reuse passwords across web applications gives attackers the fuel to launch account takeover attempts.
More online accounts. With digital lives becoming more important everyday, there is an online account for everything. This increases the available attack surface for cybercriminals to target.
Weaknesses in digital supply chains. Every organization interacts with a host of suppliers, partners, and other third-parties to conduct business. If attackers take over the account of a third-party supplier with subpar security, they can install backdoors and cause widespread havoc. Stolen passwords and account takeover contributed to multiple recent supply chain attacks including SolarWinds and Colonial Pipeline.
Also read: Broken Authentication 101
What is corporate account takeover (CATO)?
Corporate account takeover (CATO) is a form of account takeover where the victim’s account is a work account as opposed to an account for personal use. Depending on the victim’s level of access within their organization, attackers can steal a host of information after a CATO attack including employee details, sensitive customer data, and the company’s intellectual property.
The impact of account takeover
Once an attacker succeeds in account takeover, they have many roads of compromise to choose from:
Attackers typically play the volume game with account takeovers, seeking quick financial gain before moving onto their next target. This might include emptying bank accounts and cryptocurrency wallets, selling personal data or account details, and redeeming reward points from loyalty programs. Ecommerce fraud is also a common outcome here, with attackers using saved payment details to make multiple high-value transactions either for personal use or reselling.
If the attacker is able to obtain enough personal information as a result of the account takeover, they can commit identity theft. For example, attackers can open new lines of credit in the victim’s name, carry out insurance fraud, or sign up for multiple paid services.
For cybercriminals, ATO is the most effective form of impersonation. Information gleaned from account takeover can be used to carry out convincing phishing attacks against the victim’s friends, colleagues, customers, and partners.
If a victim’s email account is compromised, attackers can weaponize the account and use it as a vector for phishing attacks. These attacks can be hard to detect because everything points to the account being legitimate. Think of it like a car with valid license plates having a malicious driver behind the wheel.
Weaken public infrastructure
Attackers that are especially motivated and malicious can use account takeover to carry out cyberterrorism and materially impact public infrastructure. With Internet-connected devices continuing to grow, a targeted ATO attack can pose a risk to public utilities and industrial control systems.
In early 2021, an attacker took over a TeamViewer account of a water plant employee and deleted programs that the plant used to treat drinking water. A similar attack was observed in a Florida water plant a few weeks later, where attackers were aiming to poison the water supply.
Account takeover protection tips
Here are some steps organizations can take to reduce the likelihood and impact of account takeover attacks.
Use passwordless authentication
Account takeover is caused by attackers obtaining and using stolen passwords to gain access to an otherwise legitimate account. Removing passwords from this equation – and implementing secure passwordless authentication for web applications – makes account takeover next to impossible.
Passwordless authentication verifies users with something they have (a device or security key) or something they are (biometrics) rather than something they know, improving both security and user experience in the process.
Implement multi-factor authentication (MFA)
For organizations not yet ready to move away from passwords altogether, implementing multi-factor authentication (MFA) is an effective way to protect against ATO fraud. MFA enforces an additional factor after the username-password combination has been entered. Whether this is a one-time password sent via SMS or email, a biometric check with a fingerprint, or a PIN, the attacker will not have access to any of them.
Moreover, if the victim gets an OTP or PIN sent to their phone without logging into their account, they can be alerted to a potential account takeover attack and take measures accordingly.
Log abnormal user activity
Once account takeover is successful, it is very difficult to detect and every second matters as the attacker can quickly change settings and exfiltrate sensitive data. Thus, monitoring anomalous behavioral signals to identity account takeover in progress can make a vital difference.
Some signals that point to potential account takeover include:
An attempted login from a malicious or suspicious IP address.
Multiple user accounts being accessed from the same device or IP address.
Details being changed on multiple accounts within a short period of time (e.g. shipping information, credit card details, passwords).
An unusually high number of authentication attempts from the same IP within a short period of time.
“Impossible travel” where the same account is accessed from two geographically distant IP addresses within a short period of time (think Los Angeles and Lagos within 20 minutes).
Confirmed account takeover attempts should be met with blocking the offending IP and working with the user to shore up their account. To minimize false positives and not impact real users from accessing their accounts, organizations can toggle through other mitigation measures like:
Adaptive authentication that requests the user for additional authentication factors based on their risk profile and behavior.
Serving a CAPTCHA after a certain number of login attempts.
Notifying the user of changes to their profile.